rpms/selinux-policy-strict/FC-4 policy-20050811.patch, NONE, 1.1 .cvsignore, 1.114, 1.115 selinux-policy-strict.spec, 1.316, 1.317 sources, 1.120, 1.121
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Sep 16 14:31:44 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv19788
Modified Files:
.cvsignore selinux-policy-strict.spec sources
Added Files:
policy-20050811.patch
Log Message:
* Fri Sep 16 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-10.1
- Update to match targetd released policy
policy-20050811.patch:
Makefile | 38 +++++
attrib.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 7 -
domains/program/fsadm.te | 7 -
domains/program/getty.te | 4
domains/program/hostname.te | 3
domains/program/ifconfig.te | 5
domains/program/initrc.te | 16 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 6
domains/program/login.te | 12 -
domains/program/modutil.te | 14 +-
domains/program/mount.te | 3
domains/program/netutils.te | 3
domains/program/passwd.te | 3
domains/program/restorecon.te | 5
domains/program/setfiles.te | 2
domains/program/ssh.te | 18 +-
domains/program/syslogd.te | 2
domains/program/unused/NetworkManager.te | 8 -
domains/program/unused/acct.te | 10 -
domains/program/unused/alsa.te | 11 +
domains/program/unused/amanda.te | 53 -------
domains/program/unused/apache.te | 12 +
domains/program/unused/apmd.te | 8 +
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/backup.te | 2
domains/program/unused/bluetooth.te | 18 ++
domains/program/unused/bootloader.te | 2
domains/program/unused/cardmgr.te | 3
domains/program/unused/certwatch.te | 11 +
domains/program/unused/clockspeed.te | 3
domains/program/unused/cups.te | 12 +
domains/program/unused/cvs.te | 10 -
domains/program/unused/cyrus.te | 10 +
domains/program/unused/dbusd.te | 9 +
domains/program/unused/ddclient.te | 6
domains/program/unused/dhcpc.te | 6
domains/program/unused/dovecot.te | 4
domains/program/unused/dpkg.te | 3
domains/program/unused/firstboot.te | 7 -
domains/program/unused/fs_daemon.te | 2
domains/program/unused/ftpd.te | 8 -
domains/program/unused/hald.te | 1
domains/program/unused/hwclock.te | 5
domains/program/unused/i18n_input.te | 2
domains/program/unused/ipsec.te | 7 -
domains/program/unused/kudzu.te | 4
domains/program/unused/lvm.te | 1
domains/program/unused/mailman.te | 2
domains/program/unused/mta.te | 6
domains/program/unused/mysqld.te | 7 -
domains/program/unused/ntpd.te | 4
domains/program/unused/openct.te | 16 ++
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 12 +
domains/program/unused/postfix.te | 3
domains/program/unused/postgresql.te | 4
domains/program/unused/pppd.te | 22 ++-
domains/program/unused/procmail.te | 3
domains/program/unused/readahead.te | 21 +++
domains/program/unused/rlogind.te | 2
domains/program/unused/roundup.te | 29 ++++
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 3
domains/program/unused/rsync.te | 4
domains/program/unused/samba.te | 16 +-
domains/program/unused/saslauthd.te | 10 +
domains/program/unused/slocate.te | 4
domains/program/unused/snmpd.te | 5
domains/program/unused/squid.te | 3
domains/program/unused/sxid.te | 1
domains/program/unused/udev.te | 7 -
domains/program/unused/vpnc.te | 17 ++
domains/program/unused/winbind.te | 1
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 2
file_contexts/distros.fc | 5
file_contexts/program/apache.fc | 8 -
file_contexts/program/bluetooth.fc | 1
file_contexts/program/certwatch.fc | 3
file_contexts/program/clamav.fc | 2
file_contexts/program/cups.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 2
file_contexts/program/fsadm.fc | 1
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/postfix.fc | 2
file_contexts/program/postgresql.fc | 4
file_contexts/program/pppd.fc | 14 +-
file_contexts/program/qmail.fc | 2
file_contexts/program/radvd.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 8 -
genfs_contexts | 1
macros/base_user_macros.te | 4
macros/core_macros.te | 3
macros/global_macros.te | 32 ++++
macros/network_macros.te | 21 ++-
macros/program/apache_macros.te | 19 ++
macros/program/cdrecord_macros.te | 16 --
macros/program/chkpwd_macros.te | 17 --
macros/program/ethereal_macros.te | 7 -
macros/program/evolution_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 +++
macros/program/mail_client_macros.te | 5
macros/program/mozilla_macros.te | 7 +
macros/program/mta_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/spamassassin_macros.te | 2
macros/program/su_macros.te | 10 +
macros/program/thunderbird_macros.te | 6
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
mcs | 216 +++++++++++++++++++++++++++++++
net_contexts | 12 -
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/unconfined.te | 6
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/file.te | 4
types/network.te | 9 -
types/security.te | 4
132 files changed, 850 insertions(+), 269 deletions(-)
--- NEW FILE policy-20050811.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.4/attrib.te
--- nsapolicy/attrib.te 2005-07-19 10:57:04.000000000 -0400
+++ policy-1.25.4/attrib.te 2005-08-25 10:28:34.000000000 -0400
@@ -94,7 +94,7 @@
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
-# can create a file with an identity that's not the same as the
+# can create a file with an identity that is not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/misc/kernel.te 2005-08-25 10:28:34.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.4/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-08-11 06:57:10.000000000 -0400
+++ policy-1.25.4/domains/program/crond.te 2005-08-25 10:28:34.000000000 -0400
@@ -44,7 +44,7 @@
read_locale(crond_t)
# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
@@ -207,5 +207,8 @@
#
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
')
dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-08-11 06:57:12.000000000 -0400
+++ policy-1.25.4/domains/program/fsadm.te 2005-08-25 10:28:34.000000000 -0400
@@ -64,7 +64,7 @@
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
read_locale(fsadm_t)
@@ -117,3 +117,4 @@
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.4/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-08-11 06:57:13.000000000 -0400
+++ policy-1.25.4/domains/program/getty.te 2005-08-30 11:34:16.000000000 -0400
@@ -59,3 +59,7 @@
ifdef(`pppd.te', `
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
')
+ifdef(`use_mcs', `
+range_transition init_t getty_exec_t s0 - s0:c0.c127;
+range_transition getty_t login_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.4/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.4/domains/program/hostname.te 2005-08-25 10:28:34.000000000 -0400
@@ -24,4 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.4/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-08-11 06:57:13.000000000 -0400
+++ policy-1.25.4/domains/program/ifconfig.te 2005-08-25 10:28:34.000000000 -0400
@@ -34,7 +34,7 @@
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-08-11 06:57:13.000000000 -0400
+++ policy-1.25.4/domains/program/initrc.te 2005-08-29 08:07:06.000000000 -0400
@@ -214,7 +214,15 @@
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -319,3 +327,9 @@
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.25.4/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.4/domains/program/ldconfig.te 2005-08-25 10:28:34.000000000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.25.4/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.4/domains/program/load_policy.te 2005-08-25 10:28:34.000000000 -0400
@@ -45,11 +45,9 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
-# Read the devpts root directory (needed?)
-allow load_policy_t devpts_t:dir r_dir_perms;
-
# Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.25.4/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-07-12 08:50:42.000000000 -0400
+++ policy-1.25.4/domains/program/login.te 2005-08-25 10:28:34.000000000 -0400
@@ -62,6 +62,7 @@
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
')
# Use capabilities
@@ -200,23 +201,20 @@
[...2650 lines suppressed...]
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+ ( h1 dom h2 );
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error. Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.4/net_contexts
--- nsapolicy/net_contexts 2005-08-11 06:57:10.000000000 -0400
+++ policy-1.25.4/net_contexts 2005-09-07 09:44:13.000000000 -0400
@@ -50,6 +50,10 @@
portcon tcp 53 system_u:object_r:dns_port_t
portcon udp 67 system_u:object_r:dhcpd_port_t
+portcon udp 647 system_u:object_r:dhcpd_port_t
+portcon tcp 647 system_u:object_r:dhcpd_port_t
+portcon udp 847 system_u:object_r:dhcpd_port_t
+portcon tcp 847 system_u:object_r:dhcpd_port_t
portcon udp 68 system_u:object_r:dhcpc_port_t
portcon udp 70 system_u:object_r:gopher_port_t
portcon tcp 70 system_u:object_r:gopher_port_t
@@ -223,14 +227,6 @@
#
# interface netif_context default_msg_context
#
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
# Nodes (default = initial SID "node")
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.25.4/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.25.4/targeted/appconfig/root_default_contexts 2005-08-25 10:28:35.000000000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.25.4/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.4/targeted/assert.te 2005-08-25 10:28:35.000000000 -0400
@@ -24,7 +24,7 @@
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
-# Confined domains must never see unconfined domain's /proc/pid entries.
+# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.4/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-07-12 08:50:44.000000000 -0400
+++ policy-1.25.4/targeted/domains/unconfined.te 2005-08-25 10:49:37.000000000 -0400
@@ -16,6 +16,7 @@
# macros and domains from the "strict" policy.
typealias bin_t alias su_exec_t;
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
typeattribute tty_device_t admin_tty_type;
typeattribute devpts_t admin_tty_type;
@@ -63,6 +64,7 @@
bool use_samba_home_dirs false;
ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
# Allow system to run with NIS
bool allow_ypbind false;
@@ -77,3 +79,7 @@
allow domain self:process execmem;
}
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.4/tunables/distro.tun 2005-08-25 10:28:35.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/tunables/tunable.tun 2005-08-25 10:28:35.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.4/types/file.te
--- nsapolicy/types/file.te 2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/types/file.te 2005-08-25 10:28:35.000000000 -0400
@@ -325,6 +325,9 @@
type inotifyfs_t, fs_type, sysadmfile;
allow inotifyfs_t self:filesystem associate;
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
allow removable_t self:filesystem associate;
@@ -333,6 +336,7 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
allow customizable self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.4/types/network.te
--- nsapolicy/types/network.te 2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/types/network.te 2005-08-25 10:28:35.000000000 -0400
@@ -74,15 +74,6 @@
# interfaces in net_contexts or net_contexts.mls.
#
type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
#
# node_t is the default type of network nodes.
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.25.4/types/security.te
--- nsapolicy/types/security.te 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.4/types/security.te 2005-08-29 09:59:24.000000000 -0400
@@ -19,6 +19,10 @@
# the security server policy configuration.
#
type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
#
# policy_src_t is the type of the policy source
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/.cvsignore,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -r1.114 -r1.115
--- .cvsignore 25 May 2005 15:46:38 -0000 1.114
+++ .cvsignore 16 Sep 2005 14:31:40 -0000 1.115
@@ -80,3 +80,4 @@
policy-1.23.15.tgz
policy-1.23.16.tgz
policy-1.23.17.tgz
+policy-1.25.4.tgz
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/selinux-policy-strict.spec,v
retrieving revision 1.316
retrieving revision 1.317
diff -u -r1.316 -r1.317
--- selinux-policy-strict.spec 28 May 2005 05:15:47 -0000 1.316
+++ selinux-policy-strict.spec 16 Sep 2005 14:31:41 -0000 1.317
@@ -10,15 +10,17 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.17
-Release: 3
+Version: 1.25.4
+Release: 10.1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
+Source2: selinux.sh
+Source3: selinux.csh
Prefix: %{_prefix}
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050525.patch
+Patch: policy-20050811.patch
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -71,6 +73,9 @@
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/src/policy/policy.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/config
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/booleans.local
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
+install -m0755 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d/selinux.sh
+install -m0755 %{SOURCE3} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d/selinux.csh
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -88,9 +93,9 @@
%config %{_sysconfdir}/selinux/%{type}/booleans
%ghost %config(noreplace) %{_sysconfdir}/selinux/%{type}/booleans.local
%{_sysconfdir}/selinux/%{type}/policy/policy.%{POLICYVER}
-%{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts
+%config %{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts
%{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts.homedirs
-%{_sysconfdir}/selinux/%{type}/contexts/files/homedir_template
+%config %{_sysconfdir}/selinux/%{type}/contexts/files/homedir_template
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/files/media
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/dbus_contexts
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/default_contexts
@@ -103,7 +108,10 @@
%config %{_sysconfdir}/selinux/%{type}/users/system.users
%config(noreplace) %{_sysconfdir}/selinux/%{type}/users/local.users
%{_sysconfdir}/selinux/%{type}/contexts/customizable_types
+%{_sysconfdir}/selinux/%{type}/contexts/port_types
%{_mandir}/man8/*
+%{_sysconfdir}/profile.d/selinux.sh
+%{_sysconfdir}/profile.d/selinux.csh
%pre
if [ -f %{FILE_CONTEXT} ]; then
@@ -212,7 +220,7 @@
%post sources
if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ]; then
. /etc/selinux/config
- if [ "${SELINUXTYPE}" = "%{type}" ] -a /usr/sbin/selinuxenabled; then
+ if [ "${SELINUXTYPE}" = "%{type}" ] && /usr/sbin/selinuxenabled; then
make -C %{POLICYDIR}/src/policy load > /dev/null 2>&1
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
@@ -220,6 +228,71 @@
exit 0
%changelog
+* Fri Sep 16 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-10.1
+- Update to match targetd released policy
+
+* Sat Jun 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-17
+- Bump for FC4
+
+* Thu Jun 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-16
+- Fix postgres to allow it to connect to auth
+- Change cyrus-imapd to write to /var/spool/imap
+- Add Russell patches
+
+* Mon Jun 20 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-15
+- Fix pppd
+- Fix auditd
+
+* Sat Jun 18 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-14
+- Add Russell's patch for net_contexts
+
+* Fri Jun 17 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-13
+- Fix NetworkManager policy
+- Fix dovecot cert labeleing
+
+* Thu Jun 16 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-11
+- Fix NetworkManager dhcpd communications
+- Fix hotplug
+
+* Thu Jun 16 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-9
+- Update Ivan trusted/untrusted patch
+- add texrel_shlib_t to targeted
+
+* Wed Jun 15 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-7
+- Fixed for new cups domain hplip
+
+* Mon Jun 13 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-6
+- Further cleanup of user separation patches from Ivan
+
+* Fri Jun 10 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-5
+- Further cleanup of user separation patches from Ivan
+
+* Thu Jun 9 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-4
+- Add /etc/profile.d/selinux.sh /etc/profile.d/selinux.csh for strict
+- move ice_tmp_t definition for mls
+- More cleanup
+
+* Wed Jun 8 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-2
+- Add alsa policy
+- Policy cleanup from Ivan
+
+* Mon Jun 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-1
+- Upgrade from NSA
+ * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
+ * Removed devfsd policy as suggested by Russell Coker.
+ * Merged patch from Dan Walsh. Includes beginnings of Ivan
+ Gyurdiev's Font Config policy. Don't transition to fsadm_t from
+ unconfined_t (sysadm_t) in targeted policy. Add support for
+ debugfs in modutil. Allow automount to create and delete
+ directories in /root and /home dirs. Move can_ypbind to
+ chkpwd_macro.te. Allow useradd to create additional files and
+ types via the skell mechanism. Other minor cleanups and fixes.
+
+
+* Sat May 28 2005 Dan Walsh <dwalsh at redhat.com> 1.23.17-4
+- Add evolution/thunderbird support for strict policy. Including
+break out of orbits, fonts, and gnome. All done by Ivan G.
+
* Sat May 28 2005 Dan Walsh <dwalsh at redhat.com> 1.23.17-3
- Update policy, to remove crond_log_t
- Fix selinuxenabled check
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/sources,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -r1.120 -r1.121
--- sources 25 May 2005 15:46:38 -0000 1.120
+++ sources 16 Sep 2005 14:31:41 -0000 1.121
@@ -1 +1 @@
-6f4a8a6cd4eb487ff7f3a2d334fa4478 policy-1.23.17.tgz
+c2f1b1652314ae29e3a6b3b42e69a13e policy-1.25.4.tgz
More information about the fedora-cvs-commits
mailing list